[ros-diffs] [tkreuzer] 32810: fix handling of unsafe string parameter in NtGdiGetFontResourceInfoInternalW

[tkreuzer at svn.reactos.org]

Author: tkreuzer
Date: Tue Apr  1 13:21:06 2008
New Revision: 32810

URL: http://svn.reactos.org/svn/reactos?rev=32810&view=rev
Log:
fix handling of unsafe string parameter in NtGdiGetFontResourceInfoInternalW

Modified:
    trunk/reactos/subsystems/win32/win32k/objects/text.c

Modified: trunk/reactos/subsystems/win32/win32k/objects/text.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/objects/text.c?rev=32810&r1=32809&r2=32810&view=diff
==============================================================================
--- trunk/reactos/subsystems/win32/win32k/objects/text.c [iso-8859-1] (original)
+++ trunk/reactos/subsystems/win32/win32k/objects/text.c [iso-8859-1] Tue Apr  1 13:21:06 2008
@@ -4358,6 +4358,7 @@
     DWORD dwBytes;
     UNICODE_STRING SafeFileNames;
     BOOL bRet = FALSE;
+    ULONG cbStringSize;
 
     union
     {
@@ -4375,13 +4376,26 @@
         return FALSE;
     }
 
-    /* Check buffers and copy pwszFiles */
+    /* Allocate a safe unicode string buffer */
+    cbStringSize = cwc * sizeof(WCHAR);
+    SafeFileNames.MaximumLength = SafeFileNames.Length = cbStringSize - sizeof(WCHAR);
+    SafeFileNames.Buffer = ExAllocatePoolWithTag(PagedPool,
+                                                 cbStringSize,
+                                                 TAG('R','T','S','U'));
+    if (!SafeFileNames.Buffer)
+    {
+        SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
+        return FALSE;
+    }
+
+    /* Check buffers and copy pwszFiles to safe unicode string */
     _SEH_TRY
     {
-        ProbeForRead(pwszFiles, cwc * sizeof(WCHAR), 1);
-        bRet = RtlCreateUnicodeString(&SafeFileNames, pwszFiles);
+        ProbeForRead(pwszFiles, cbStringSize, 1);
         ProbeForWrite(pdwBytes, sizeof(DWORD), 1);
         ProbeForWrite(pvBuf, cjIn, 1);
+
+        RtlCopyMemory(SafeFileNames.Buffer, pwszFiles, cbStringSize);
     }
     _SEH_HANDLE
     {
@@ -4389,20 +4403,15 @@
     }
     _SEH_END
 
-    if(!bRet)
-    {
-        /* Could not create the unicode string, so return instantly */
+    if(!NT_SUCCESS(Status))
+    {
+        SetLastNtError(Status);
+        /* Free the string buffer for the safe filename */
+        ExFreePool(SafeFileNames.Buffer);
         return FALSE;
     }
 
-    if(!NT_SUCCESS(Status))
-    {
-        SetLastNtError(Status);
-        /* Free the string for the filename */
-        RtlFreeUnicodeString(&SafeFileNames);
-        return FALSE;
-    }
-
+    /* Do the actual call */
     bRet = IntGdiGetFontResourceInfo(&SafeFileNames, &Buffer, &dwBytes, dwType);
 
     /* Check if succeeded and the buffer is big enough */
@@ -4428,8 +4437,8 @@
         }
     }
 
-    /* Free the string for the filename */
-    RtlFreeUnicodeString(&SafeFileNames);
+    /* Free the string for the safe filenames */
+    ExFreePool(SafeFileNames.Buffer);
 
     return bRet;
 }